Cloud Security's Next Evolution?

While the cloud has been one of the greatest technology disruptions of recent times, the biggest impediments to its adoption have been the limitations of enterprises in governing infrastructure beyond their perimeter. The idea, then, of Cloud Access Security Brokers is an organic evolution of the need enterprises had to ensure that security policies are effectively projected and complied with, even in the cloud.

CASBs seem to be the flavor of the season, with a mention of them being made in conferences, including RSA Singapore and the Gartner Security Summit in Mumbai.

"CASB's unique proposition is that it helps enforce consistent policies, creates visibility and maybe opportunistically allows you to encrypt or federate with a variety of cloud providers."

Business consultancy Gartner's IT glossary defines CASBs as services that are on-premises, or cloud-based security policy enforcement points, which consolidate multiple types of security policy enforcement by acting as "security brokers" between the consumer and the cloud service provider.

CASBs are information security solutions that act as an intermediary between an organization and the cloud service providers the organization uses, says Jim Reavis, CEO of the Cloud Security Alliance. "CASBs help organizations gain visibility into the cloud services they are using, enforce organizational policies and perform a variety of security functions, such as data loss prevention, encryption, intrusion detection, identity federation and other capabilities depending upon the specific CASB."

CASB Evolution & Need

CASB companies primarily were started by InfoSec entrepreneurs who saw an opportunity to provide enterprises with a capability to enable customer-specific security controls over cloud computers that customers lack physical access to, says CSA's Reavis. "These CASB innovators correctly guessed that customers would be frustrated by gaps in cloud service providers' security capabilities and difficulties in gaining visibility into key indicators of security health," he says.

One of the biggest challenges with the cloud from a risk perspective - which I have heard speaking to numerous practitioners - is that central IT no longer has 100 percent visibility into the usage of cloud in an organization. This is because it is so easy to provision, and anyone in the organization with a credit card can go out and but some services, they say.

Further, that the security appliances and tools that enterprises use to secure their infrastructure today may not be effective in the cloud is a given - because a lot of the activity and computing is happening off-premises. Security demands in the cloud are more nuanced than with the perimeter, says Reavis. "Because cloud is heavily standardized, it provides a much simpler security challenge than legacy IT. But it is different in that you don't have the same kind of physical access and controls," he says. (Also listen to: Cloud Security: Lessons Learned)

CASBs are filling this gap. Hugh Thompson, Blue Coat's CTO and senior vice president, says that CASBs are another evolution of the idea that you need to stop, inspect, and allow or disallow - which is going to remain a fundamental concept in security. "Now where does that checkpoint happen?" he asks. "Earlier, this used to be at the perimeter; today, that same inspection point needs to also exist in the cloud." (Also read Hugh Thompson's interview: The Maturing of Breach Notification)

Gartner's Lawrence Pingree, who is a research director at the consultancy, adds that CASB inserts security and enforces policy when you leave the perimeter - for example in the case of devices leaving the enterprise and there is no more perimeter to do security inspection. (Also see: Security Focus Shifts to Detection)

"CASB's unique proposition is that it helps enforce consistent policies, creates visibility and maybe opportunistically allows you to encrypt or federate with a variety of cloud providers," Reavis says. He believes organizations need to explore how these solutions can help augment the security capabilities of the cloud provider, as well as give the enterprise more visibility and control.

CASB Going Forward

From what I have heard from the analysts so far, Gartner is bullish on the adoption of CASBs, especially in the Asian context, given that many organizations are leapfrogging to the cloud in the course of their digital transformation journeys.

CSA's Reavis agrees that CASBs are seeing the greatest popularity with large enterprises in Asia. Larger companies here are tending to use a greater number of cloud services, and the more cloud services a company uses, the more difficult it is to manually track these services, he says. He therefore expects large companies will benefit from the automation and a single security dashboard for their cloud services.

Reavis believes there is clearly a lot of upside to the CASB market. Some consolidation is already happening, but for the most part, these companies will be independent of major cloud providers, he says. According to Gartner's Pingree, moves are already being made. "Blue Coat acquired PerspecSys, Checkpoint announced its Capsule Cloud Service. Palo Altos has CirroSecure, which relatively speaking is a smaller CASB, but it sets it up so that it can strategically evolve to that future," he says.

The business case for CASBs couldn't be clearer, if you take CSA's view. "CASBs help organizations reduce their exposure to risky cloud services and in the long run accelerate cloud adoption and demonstrate ROI in use of cloud," Reavis says.

With many organizations in India reluctant to take to the cloud, citing security, lack of visibility and governance, CASBs may be just what they are seeking. While the market is still nascent here, given the rapid maturity cloud has found in this region, I think CASB sits in the sweet spot as far as cloud security is concerned.

About the Author

Haran has been a technology journalist in the Indian market for over six years, covering the enterprise technology segment and specializing in information security. He has driven multiple industry events such as the India Computer Security Conferences (ICSC) and the first edition of the Ground Zero Summit 2013 during his stint at UBM. Prior to joining ISMG, Haran was first a reporter with TechTarget writing for SearchSecurity and SearchCIO; and later, correspondent with InformationWeek, where he covered enterprise technology-related topics for the CIO and IT practitioner.